route53_create_key_signing_key: Creates a new key signing key (KSK) associated with a hosted zone

[required] A unique string that identifies the request.

[required] The unique string (ID) used to identify a hosted zone.

[required] The Amazon resource name (ARN) for a customer managed key (CMK) in AWS Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.

You must configure the CMK as follows:

Status

Enabled

Key spec

ECC_NIST_P256

Key usage

Sign and verify

Key policy

The key policy must give permission for the following actions:

• DescribeKey

• GetPublicKey

• Sign

The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:

• "Service": "api-service.dnssec.route53.aws.internal"

For more information about working with CMK in KMS, see AWS Key Management Service concepts.

[required] An alphanumeric string used to identify a key signing key (KSK). Name must be unique for each key signing key in the same hosted zone.

[required] A string specifying the initial status of the key signing key (KSK). You can set the value to ACTIVE or INACTIVE.